PERFORCE change 15164 for review
Robert Watson
rwatson at freebsd.org
Tue Jul 30 04:20:08 GMT 2002
http://people.freebsd.org/~peter/p4db/chv.cgi?CH=15164
Change 15164 by rwatson at rwatson_paprika on 2002/07/29 21:19:36
Make the ugidfw command link against the new libugidfw rather
than implementing the various sysctl-frobbing/parsing/...
calls itself.
Affected files ...
.. //depot/projects/trustedbsd/mac/usr.sbin/ugidfw/Makefile#2 edit
.. //depot/projects/trustedbsd/mac/usr.sbin/ugidfw/ugidfw.c#7 edit
Differences ...
==== //depot/projects/trustedbsd/mac/usr.sbin/ugidfw/Makefile#2 (text+ko) ====
@@ -2,5 +2,6 @@
PROG= ugidfw
NOMAN= yes
+LDADD= -lugidfw
.include <bsd.prog.mk>
==== //depot/projects/trustedbsd/mac/usr.sbin/ugidfw/ugidfw.c#7 (text+ko) ====
@@ -41,21 +41,10 @@
#include <security/mac_bsdextended/mac_bsdextended.h>
-#include <grp.h>
-#include <pwd.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-
-/*
- * Text format for rules: rules contain subjectand object elements, mode.
- * Each element takes the form "[not] [uid number] [gid number]".
- * The total form is "subject [element] object [element] mode [mode]".
- * At least * one of a uid or gid entry must be present; both may also be
- * present.
- */
-
-#define MIB "security.mac.bsdextended"
+#include <ugidfw.h>
void
usage(void)
@@ -63,432 +52,60 @@
fprintf(stderr, "ugidfw list\n");
fprintf(stderr, "ugidfw set rulenum [subject [not] [uid uid] [gid gid]]"
- " [object [not] [uid uid] [gid gid]] mode arswxn\n");
+ " [object [not] \\\n");
+ fprintf(stderr, " [uid uid] [gid gid]] mode arswxn\n");
fprintf(stderr, "ugidfw remove rulenum\n");
- exit (-1);
-}
-void
-print_rule(int rulenum, struct mac_bsdextended_rule *rule)
-{
- struct group *grp;
- struct passwd *pwd;
- int anymode, unknownmode;
-
- printf("%d ", rulenum);
- if (rule->mbr_subject.mbi_flags & (MBI_UID_DEFINED |
- MBI_GID_DEFINED)) {
- printf("subject ");
- if (rule->mbr_subject.mbi_flags & MBI_NEGATED)
- printf("not ");
- if (rule->mbr_subject.mbi_flags & MBI_UID_DEFINED) {
- pwd = getpwuid(rule->mbr_subject.mbi_uid);
- if (pwd != NULL)
- printf("uid %s ", pwd->pw_name);
- else
- printf("uid %u ", rule->mbr_subject.mbi_uid);
- }
- if (rule->mbr_subject.mbi_flags & MBI_GID_DEFINED) {
- grp = getgrgid(rule->mbr_subject.mbi_gid);
- if (grp != NULL)
- printf("gid %s ", grp->gr_name);
- else
- printf("gid %u ", rule->mbr_subject.mbi_gid);
- }
- }
- if (rule->mbr_object.mbi_flags & (MBI_UID_DEFINED |
- MBI_GID_DEFINED)) {
- printf("object ");
- if (rule->mbr_object.mbi_flags & MBI_NEGATED)
- printf("not ");
- if (rule->mbr_object.mbi_flags & MBI_UID_DEFINED) {
- pwd = getpwuid(rule->mbr_object.mbi_uid);
- if (pwd != NULL)
- printf("uid %s ", pwd->pw_name);
- else
- printf("uid %u ", rule->mbr_object.mbi_uid);
- }
- if (rule->mbr_object.mbi_flags & MBI_GID_DEFINED) {
- grp = getgrgid(rule->mbr_object.mbi_gid);
- if (grp != NULL)
- printf("gid %s ", grp->gr_name);
- else
- printf("gid %u ", rule->mbr_object.mbi_gid);
- }
- }
-
- printf("mode ");
- anymode = (rule->mbr_mode & VALLPERM);
- unknownmode = (rule->mbr_mode & ~VALLPERM);
-
- if (rule->mbr_mode & VADMIN)
- printf("a");
- if (rule->mbr_mode & VREAD)
- printf("r");
- if (rule->mbr_mode & VSTAT)
- printf("s");
- if (rule->mbr_mode & VWRITE)
- printf("w");
- if (rule->mbr_mode & VEXEC)
- printf("x");
- if (!anymode)
- printf("n");
- if (unknownmode)
- printf("?");
-
- printf("\n");
-}
-
-int
-parse_identity(int argc, char *argv[],
- struct mac_bsdextended_identity *identity)
-{
- struct group *grp;
- struct passwd *pwd;
- int uid_seen, gid_seen, not_seen;
- int current;
- char *endp;
- long value;
- uid_t uid;
- gid_t gid;
-
- if (argc == 0) {
- fprintf(stderr, "Identity must not be empty\n");
- return (-1);
- }
-
- current = 0;
-
- /* First element might be "not". */
- if (strcmp("not", argv[0]) == 0) {
- not_seen = 1;
- current++;
- } else
- not_seen = 0;
-
- if (current >= argc) {
- fprintf(stderr, "Identity short.\n");
- return (-1);
- }
-
- uid_seen = 0;
- gid_seen = 0;
-
- /* First phrase: uid [uid] or gid[gid]. */
- if (strcmp("uid", argv[current]) == 0) {
- if (current + 2 > argc) {
- fprintf(stderr, "uid short.\n");
- return (-1);
- }
- pwd = getpwnam(argv[current+1]);
- if (pwd != NULL)
- uid = pwd->pw_uid;
- else {
- value = strtol(argv[current+1], &endp, 10);
- if (*endp != '\0') {
- fprintf(stderr, "invalid uid: '%s'\n",
- argv[current+1]);
- return (-1);
- }
- uid = value;
- }
- uid_seen = 1;
- current += 2;
- } else if (strcmp("gid", argv[current]) == 0) {
- if (current + 2 > argc) {
- fprintf(stderr, "gid short.\n");
- return (-1);
- }
- grp = getgrnam(argv[current+1]);
- if (grp != NULL)
- gid = grp->gr_gid;
- else {
- value = strtol(argv[current+1], &endp, 10);
- if (*endp != '\0') {
- fprintf(stderr, "invalid gid: '%s'\n",
- argv[current+1]);
- return (-1);
- }
- gid = value;
- }
- gid_seen = 1;
- current += 2;
- } else {
- fprintf(stderr, "'%s' not expected.\n", argv[current]);
- return (-1);
- }
-
- /* Onto optional second phrase. */
- if (current + 1 < argc) {
- /* Second phrase: uid [uid] or gid [gid], but not a repeat. */
- if (strcmp("uid", argv[current]) == 0) {
- if (uid_seen) {
- fprintf(stderr, "Only one uid permitted per "
- "identity clause.\n");
- return (-1);
- }
- if (current + 2 > argc) {
- fprintf(stderr, "uid short.\n");
- return (-1);
- }
- value = strtol(argv[current+1], &endp, 10);
- if (*endp != '\0') {
- fprintf(stderr, "invalid uid: '%s'\n",
- argv[current+1]);
- return (-1);
- }
- uid = value;
- uid_seen = 1;
- current += 2;
- } else if (strcmp("gid", argv[current]) == 0) {
- if (gid_seen) {
- fprintf(stderr, "Only one gid permitted per "
- "identity clause.\n");
- return (-1);
- }
- if (current + 2 > argc) {
- fprintf(stderr, "gid short.\n");
- return (-1);
- }
- value = strtol(argv[current+1], &endp, 10);
- if (*endp != '\0') {
- fprintf(stderr, "invalid gid: '%s'\n",
- argv[current+1]);
- return (-1);
- }
- gid = value;
- gid_seen = 1;
- current += 2;
- } else {
- fprintf(stderr, "'%s' not expected.\n", argv[current]);
- return (-1);
- }
- }
-
- if (current +1 < argc) {
- fprintf(stderr, "'%s' not expected.\n", argv[current]);
- return (-1);
- }
-
- /* Fill out the identity. */
- identity->mbi_flags = 0;
-
- if (not_seen)
- identity->mbi_flags |= MBI_NEGATED;
-
- if (uid_seen) {
- identity->mbi_flags |= MBI_UID_DEFINED;
- identity->mbi_uid = uid;
- } else
- identity->mbi_uid = 0;
-
- if (gid_seen) {
- identity->mbi_flags |= MBI_GID_DEFINED;
- identity->mbi_gid = gid;
- } else
- identity->mbi_gid = 0;
-
- return (0);
-}
-
-int
-parse_mode(int argc, char *argv[], mode_t *mode)
-{
- int i;
-
- if (argc == 0) {
- fprintf(stderr, "mode expects mode value.\n");
- return (-1);
- }
-
- if (argc != 1) {
- fprintf(stderr, "'%s' unexpected.\n", argv[1]);
- return (-1);
- }
-
- *mode = 0;
- for (i = 0; i < strlen(argv[0]); i++) {
- char c;
-
- switch (argv[0][i]) {
- case 'a':
- *mode |= VADMIN;
- break;
- case 'r':
- *mode |= VREAD;
- break;
- case 's':
- *mode |= VSTAT;
- break;
- case 'w':
- *mode |= VWRITE;
- break;
- case 'x':
- *mode |= VEXEC;
- break;
- case 'n':
- /* ignore */
- break;
- default:
- fprintf(stderr, "Unknown mode letter: %c\n",
- argv[0][i]);
- return (-1);
- }
- }
-
- return (0);
+ exit(-1);
}
-int
-parse_rule(int argc, char *argv[], struct mac_bsdextended_rule *rule)
-{
- int subject, subject_elements, subject_elements_length;
- int object, object_elements, object_elements_length;
- int mode, mode_elements, mode_elements_length;
- int error, i;
-
- bzero(rule, sizeof(*rule));
-
- if (argc < 1) {
- fprintf(stderr, "Rule must begin with subject.\n");
- return (-1);
- }
-
- if (strcmp(argv[0], "subject") != 0) {
- fprintf(stderr, "Rule must begin with subject.\n");
- return (-1);
- }
- subject = 0;
- subject_elements = 1;
-
- /* Search forward for object. */
-
- object = -1;
- for (i = 1; i < argc; i++)
- if (strcmp(argv[i], "object") == 0)
- object = i;
-
- if (object == -1) {
- fprintf(stderr, "Rule must contain an object.\n");
- return (-1);
- }
-
- /* Search forward for mode. */
- mode = -1;
- for (i = object; i < argc; i++)
- if (strcmp(argv[i], "mode") == 0)
- mode = i;
-
- if (mode == -1) {
- fprintf(stderr, "Rule must contain mode.\n");
- return (-1);
- }
-
- subject_elements_length = object - subject - 1;
- object_elements = object + 1;
- object_elements_length = mode - object_elements;
- mode_elements = mode + 1;
- mode_elements_length = argc - mode_elements;
-
- error = parse_identity(subject_elements_length,
- argv + subject_elements, &rule->mbr_subject);
- if (error)
- return (-1);
-
- error = parse_identity(object_elements_length, argv + object_elements,
- &rule->mbr_object);
- if (error)
- return (-1);
-
- error = parse_mode(mode_elements_length, argv + mode_elements,
- &rule->mbr_mode);
- if (error)
- return (-1);
-
- return (0);
-}
-
-int
-get_mib(const char *string, int *name, int *namelen)
-{
- int error, len;
-
- len = *namelen;
- error = sysctlnametomib(string, name, &len);
- if (error)
- return (error);
-
- *namelen = len;
- return (0);
-}
-
void
list_rules(void)
{
+ char errstr[BUFSIZ], charstr[BUFSIZ];
struct mac_bsdextended_rule rule;
- size_t size;
- int name[10];
- int error, i, len, rule_count, rule_slots;
+ int error, i, rule_count, rule_slots;
- len = sizeof(rule_slots);
- error = sysctlbyname(MIB ".rule_slots", &rule_slots, &len, NULL, NULL);
- if (error) {
- perror(MIB ".rule_slots");
- return;
+ rule_slots = bsde_get_rule_slots(BUFSIZ, errstr);
+ if (rule_slots == -1) {
+ fprintf(stderr, errstr);
+ exit (-1);
}
- if (len != sizeof(rule_slots)) {
- fprintf(stderr, "rule_slots wrong size\n");
- return;
- }
- len = sizeof(rule_count);
- error = sysctlbyname(MIB ".rule_count", &rule_count, &len, NULL, NULL);
- if (error) {
- perror(MIB ".rule_count");
- return;
+ rule_count = bsde_get_rule_count(BUFSIZ, errstr);
+ if (rule_count == -1) {
+ fprintf(stderr, errstr);
+ exit (-1);
}
- if (len != sizeof(rule_count)) {
- fprintf(stderr, "rule_count wrong size\n");
- return;
- }
-/*
- if (rule_count == 1)
- printf("%d rule\n", rule_count);
- else
- printf("%d rules\n", rule_count);
-*/
+ printf("%d slots, %d rules\n", rule_slots, rule_count);
- len = 10;
- error = get_mib(MIB ".rules", name, &len);
- if (error) {
- perror(MIB ".rules");
- return;
- }
+ for (i = 0; i <= rule_slots; i++) {
+ error = bsde_get_rule(i, &rule, BUFSIZ, errstr);
+ switch (error) {
+ case -2:
+ continue;
+ case -1:
+ fprintf(stderr, "rule %d: %s\n", i, errstr);
+ continue;
+ case 0:
+ break;
+ }
- len++;
- for (i = 0; i <= rule_slots; i++) {
- name[len-1] = i;
- size = sizeof(rule);
- error = sysctl(name, len, &rule, &size, NULL, 0);
- if (error) {
- if (errno != ENOENT)
- perror(MIB);
- } else if (size != sizeof(rule))
- fprintf(stderr, "rule size mismatch\n");
+ if (bsde_rule_to_string(&rule, charstr, BUFSIZ) == -1)
+ printf("oops!\n");
else
- print_rule(i, &rule);
+ printf("%d %s\n", i, charstr);
}
}
void
set_rule(int argc, char *argv[])
{
+ char errstr[BUFSIZ];
struct mac_bsdextended_rule rule;
long value;
- size_t size;
- int name[10];
- int error, len, rulenum;
+ int error, rulenum;
char *endp;
if (argc < 1)
@@ -503,33 +120,25 @@
rulenum = value;
- error = parse_rule(argc - 1, argv + 1, &rule);
- if (error)
+ error = bsde_parse_rule(argc - 1, argv + 1, &rule, BUFSIZ, errstr);
+ if (error) {
+ fprintf(stderr, "%s\n", errstr);
return;
+ }
- len = 10;
- error = get_mib(MIB ".rules", name, &len);
+ error = bsde_set_rule(rulenum, &rule, BUFSIZ, errstr);
if (error) {
- perror(MIB ".rules");
+ fprintf(stderr, "%s\n", errstr);
return;
}
-
- name[len] = rulenum;
- len++;
-
- size = sizeof(rule);
- error = sysctl(name, len, NULL, NULL, &rule, size);
- if (error)
- perror(MIB ".rules");
}
void
remove_rule(int argc, char *argv[])
{
- struct mac_bsdextended_rule rule;
+ char errstr[BUFSIZ];
long value;
- int name[10];
- int error, len, rulenum;
+ int error, rulenum;
char *endp;
if (argc != 1)
@@ -544,18 +153,9 @@
rulenum = value;
- len = 10;
- error = get_mib(MIB ".rules", name, &len);
- if (error) {
- perror(MIB ".rules");
- return;
- }
-
- name[len] = rulenum;
- len++;
- error = sysctl(name, len, NULL, NULL, &rule, 0);
+ error = bsde_delete_rule(rulenum, BUFSIZ, errstr);
if (error)
- perror("sysctl");
+ fprintf(stderr, "%s\n", errstr);
}
int
To Unsubscribe: send mail to majordomo at trustedbsd.org
with "unsubscribe trustedbsd-cvs" in the body of the message
More information about the trustedbsd-cvs
mailing list